Report: 'Smart' meters have security holes

Mar 26, 2010 By JORDAN ROBERTSON , AP Technology Writer

Joshua Wright, a senior security analyst for InGuardians, poses for a portrait with his hacking tools in his office in East Providence, R.I., Friday, March 26, 2010. InGuardians, which was hired by three utility companies, found flaws in new "smart" meters being installed at homes and businesses across the U.S. (AP Photo/Gretchen Ertl)

(AP) -- Computer-security researchers say new "smart" meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.

At the very least, the vulnerabilities open the door for attackers to jack up strangers' power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else's power on and off.

The attacks could be pulled off by stealing meters - which can be situated outside of a home - and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters' resistance to attack.

These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press.

There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.

Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.

Unlike traditional electric meters that merely record power use - and then must be read in person once a month by a meter reader - smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.

But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.

There are few public studies on the meters' resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.

Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright's work with InGuardians, said it proved that hacking smart meters is a serious concern.

"We weren't sure it was possible," Paller said. "He actually verified it's possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh's work is really important."

SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other "critical infrastructure."

Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.

"We know that automation will bring new vulnerabilities, and our task - which we tackle on a daily basis - is making sure the system is secure," said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.

But many security researchers say the technology is being deployed without enough security probing.

Wright said his firm found "egregious" errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. "Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years," Wright said.

He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.

One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities' computers.

Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone's power. Or someone could impersonate meters to the power company, to inflate victims' bills or lower his own. A criminal could even sneak into the utilities' computer networks to steal data or stage bigger attacks on the grid.

Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.

For instance, the meters encrypt their data - scrambling the information to hide it from outsiders. But the digital "keys" needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities' networks, where they would be safer.

"That lesson seems to be lost on these meter vendors," he said. That speaks to the "relative immaturity" of the meter technology, Wright added.

Related Stories

(AP) -- The race to build a "smarter" electrical grid could have a dark side. Security experts are starting to show the dangers of equipping homes and businesses with new meters that enable two-way communication with utilities.

(Physorg.com) -- Google.org has announced "PowerMeter", a platform that will help users track their home electricity usage in real-time on their home computer. This platform will receive data from "smart meters" ...

The new "smart meters" utilities are installing in homes around the world to reduce energy use raise fresh privacy issues because of the wealth of information about consumer habits they reveal, experts said ...

MeterSmart, the foremost expert in energy data management for utilities and an energy information service of Hunt Power, today announced what may be the utility industry's most innovative meter data collection service. The ...

Don't throw away those bouncing batteries. Researchers at Princeton University have found that the common test of bouncing a household battery to learn if it is dead or not is not actually an effective way ...

In the first study of its kind, scientists at the Department of Energy's Lawrence Berkeley National Laboratory (Berkeley Lab) quantitatively show that electric vehicles (EVs) will meet the daily travel needs ...

User comments : 4

Of course they have their flaws. These devices are just as horrible as "internet censorship" and licenses and laws. The government has no place in people's homes, these meters are an invasion of privacy and it's none of their business what I make of the electricity that they sell me. If it comes down to it, I'll plan on unplugging from this nasty big brother grid technology and just use my own. Don't need it, don't want it, and the stupid USA complaining about cyber-terrorists are opening more and more doors for them to perform more vastly destructive behavior from behind their screens.

Cyber-criminals can only bring down the power plants through the internet, if you are dumb enough to hook them up to that. They would like to use the internet as a government infrastructure when it already is public, if they want a network that is secure then perhaps they should make the internet 2 for government, and the original internet for the people. Either way, you are being scammed.

how on earth does inviting big brother to turn your fridge off help? This is too invasive, I don't trust technology like this, it can be abused for far too many things. I wouldn't trust the government with it either, they want nothing more than to make you all into good little slaves, first by making you think money has value and then by destroying it's value across the globe to get you to buy into their cashless society (where they can just tell a computer to do the scamming and then blame it on a "programming glitch" if they get caught).

These meters are like a pair of shackles, soon enough they'll get everyone a pair to be good obedient slaves with.

sounds like a few people NEED to be under surveillance here - the government remains in power to guard against terror and freedom - if we huddle together in prayer we can help not worry about personal petty things.

I would rather be terrorized and allowed to defend myself than to be ruled tyrannically by the government and stripped of the power to protect myself. The cops never save you they only clean up the mess after, so why on earth should we trust the system? Does this mean the germans were right to trust hitler?

Please sign in to add a comment.
Registration is free, and takes less than a minute.
Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.